Joe Hall’s “Top-10 Election Security List”
[Image via cdt]
Last week’s electionlineWeekly has a great farewell piece of sorts on election security by Joseph (“Joe”) Lorenzo Hall, who’s moving on from exclusively election-focused work to join the Internet Society as its new Senior Vice President for a Strong Internet. Check it out:
I’ve been working with election technology for 17 years — first as a young student and academic and most recently as part of civil society. Despite that, I suspect this puts me somewhere in the middle of the experience range for most electionline readers!
Still, as I find myself moving on to other more challenging pastures in my own career, I can’t help but look back at how far the elections community has come over these years. At the same time, it seems like our work will never truly be complete.
As an expert in privacy and security, I wanted to take the time to try and jot down a quick list of pieces of advice… although of course that list might be tailored a bit differently depending on where you sit. In the interest of bridging communities, I’ll offer five pieces of advice to election officials and another five to security experts.
For election officials:
- Build community: We are all in this together and for the most part have the exact same goals: making sure eligible voters can cast votes as intended and have those ballots counted as cast. We have never faced the threats — or opportunities, frankly — that we face today, and I spend a good deal of time explaining to people why one thing or another is not happening and which element of the elections community is frustrating that progress. The only thing that will be constant in the new election administration is change, and everyone is going to need to do things that may make them uncomfortable, including trying to appease, entertain, and tolerate even the most litigious or aggressive voices throughout the community. Try to give everyone a fresh take and don’t let grudges or spats from years past cloud the current set of complex tasks at hand. And don’t refer students tinkering with your stuff to the FBI.
- Train: We’ve never been in a place like where we are now: so much of the stability and integrity of the election process relies on staff having expertise built into them and reinforced constantly. CDT and our partners CTCL have created a self-paced cybersecurity training for election officials, and this is essentially the minimum election staff will increasingly need to be familiar with in order to ensure they are a capability and not a liability. There are an increasing number of groups that can help create training materials or other kinds of educational tools around emerging concepts such as cybersecurity, risk-limiting auditing, moving (or not!) to the cloud, etc.
- Cultivate your inner geek: I tell people that my job in life is to “create a tiny technologist within you… each of you… no matter how tiny!” By this, I’m trying to tell people that to the extent they cultivate and encourage their own technical-geek tendencies, they will be better off in work and life… and this is especially true for people working on the front lines of critical infrastructure like elections. For example, do you know how to securely send a file from one person to another without anyone in between being able to intercept it or observe it? Check out https://send.firefox.com, which you can use for everything from W-9s, I-9s, etc. and the encryption protecting those files takes place in the browser itself, so no one ever has the opportunity to eavesdrop, modify, or learn what you are sharing. And that’s just one example of a killer tool… if you keep your ear to the ground and make some geeky friends, there are oodles of little tricks and tools you can use to make your life and job easier. (And when you have enough of these tricks, people may start calling you a “hacker” and that’s a good thing.)
- Put two-factor on errythang: I cannot stress enough that you should all be using two-factor authentication on absolutely everything you can, on your work accounts but also on your personal accounts. As we explain in this one-pager, two-factor is having to enter something in addition to your password to login to a service; for example, your bank may send a text message with a six-digit code when you’re trying to login from a new device or an exotic location. This is crucial as stealing an account without two-factor protections is a key step in remote attacks that might originate from malicious attackers in other countries, a key threat we clearly face in the United States. But I would also encourage you to turn it on by default across your election office and force all of your staff to use it, most importantly senior staff and leadership. If the equivalent of an Elections Director or CEO cannot be bothered to protect voter data and elections processes, your office is as good as doomed as the most important person there is unprotected.
- Think as medium- and long- term as you can: So often we plan for the immediate short term, but as you may have seen, changes to equipment and processes — for example, single-ballot comparison risk-limiting audits! — often bleed over into the medium and long term. You may not be able to get to your ideal state of running elections tomorrow or even next year, but if you don’t plan to orient and make progress — measurable progress — towards the ideal state, you will literally never get there.
For security experts:
- Build community: Security experts don’t face the constraints that many other people in the elections community face — they aren’t answerable to the public, they don’t have precarious vendor relationships, and they don’t sit in the middle of a complex set of government hierarchies. This freedom is exactly why many of us are attracted to the work, but it can also mean at certain crucial times we are seen as loose cannons, with no real insight into the constraints that affect election officials and others. I would encourage you to make one election official friend every two months until the 2020 election… that’s at least 6 new friends, but it’s also six people that can give you feedback about your work, your tone, the degree of receptivity you enjoy, and many other things (like Tammy [Patrick]’s love of Bluegrass!). It’s time to build relationships, not complicate them or break them.
- Disclose privately, first: I think we’ve seen an arc in terms of disclosures from security experts about process, privacy, and security vulnerabilities; in the early 2000s it was disclose publicly, talk to the press. Recently, I’ve seen disclosures happen over longer periods of time and privately and I think that’s on balance the right thing to do, given the constraints that I mention above. Of course, there is always a role for public disclosure, but I would urge you to make that the last resort, and, when you do, make sure a reporter who understands elections is behind you! I have also seen recent private disclosures that have resulted in good mitigations at what I would consider lighting speed. That is a good sign that the community is maturing — election officials, their coordinating organizations like MS/EI-ISAC, and manufacturers — and better able to handle things privately when vulnerabilities or flaws are live. There will always be time for follow-up and always time for more newsworthy items in the future, but you never know who has an election right around the corner, and we want to help defenders more so than attackers.
- Work with election officials: We often tell people interested in helping out in elections that the greatest thing they can do is be a poll worker. That is true, but for those of us with significant technical expertise, we can go further: we can be technical poll workers. Election officials need help not just in traditional poll worker duties, but as our voting machinery becomes increasingly computerized and networked officials are going to need volunteers that can help troubleshoot technology failures. And we have to create frameworks that allow for this without also “letting the fox in the henhouse”, so to speak. We at CDT have taken a shot at this with a set of toolkits for technical folks and election officials that would like to attract those people, and the last DEF CON Voting Village held an off-the-record session to see how hackers can actually step up and defend on the front lines. Let’s build this capacity, together.
- Build things to the greatest extent you can: So often technical election security work is about breaking things, be it machinery, software, schemes, or processes. However, no where is it more important to make sure that as we break things we attempt to build things too. I’m heartened by the efforts of LA County with the VSAP system, VotingWorks with its system and their Arlo risk-limiting auditing software, and Microsoft’s efforts to actually bring cryptographic end-to-end election methods out of the pages of theory and into the real world. We are going to need secure accessible verification for printed ballots with QR codes, more flexible methods of composing risk-limiting audits across jurisdictions with varying technology and law, and e-pollbooks that we don’t glance at and shudder at the potential for insecurity.
- The internet is here: None of you are going to like this, but we have to recognize that the internet is here and people are going to cast voted ballots over it. I know that makes me scream inside; if only people knew what we know about the stuff that makes up our devices, networks, and servers (it’s all effectively rubber bands and paperclips)… and how the heck are we supposed to do risk-limiting audits of elections without a software-independent record of the voter’s intent? Yes, people are going to cast ballots over the internet, but instead of saying “never!” we need to say, “Only when absolutely necessary, when there are no alternatives to return a physical ballot, and with the full understanding of the voter that they may be submitting garbage.” We need to work to minimize internet voting until we have the necessary breakthroughs that can help fix the sorry state of our digital technologies… but those breakthroughs are going to take decades and it’s hard to imagine being able to hold the “no internet voting” line for decades. We have to choose our absolutes carefully and minimize other badness.
So long and thanks for all the votes!
Kudos to electionline and Mindy Moretti for giving Joe the opportunity to share these thoughts. I am a huge fan of Joe’s; he is a key voice in the University of Minnesota election program’s Election Cybersecurity course and someone whose work – and approach – I’ve admired for years. I am clinging to the hope that he will still find time in his new gig to interact with and inspire the election community, which is so much smarter for his time in it. Thanks, Joe – and stay tuned!